Use Cases

Signando Keycloak protects identity infrastructure across regulated industries.

🏦

Banking & Financial Services

Enforce strict OIDC policies, block ROPC grant types, and protect Admin API endpoints. Meet BAIT/VAIT requirements with audit logging and compliance reporting.

  • Per-client scope whitelists for PSD2 APIs
  • PKCE enforcement for mobile banking apps
  • Admin API read-only mode for production environments
  • Token lifetime enforcement (short-lived tokens)
🏥

Healthcare

Protect patient identity data with SAML XXE prevention and strict redirect URI validation. Many healthcare systems use SAML for federation.

  • SAML signature wrapping prevention
  • Claim leakage detection (PII in tokens)
  • Redirect URI whitelist for patient portals
  • Audit trail for all authentication events
🏛️

Government & Public Sector

BSI IT-Grundschutz compliant Keycloak protection. Meet compliance requirements with full 4-process isolation and strong network boundaries.

  • Full deployment mode with 4 isolated networks
  • Master realm protection (immutable)
  • Export prevention (no credential exfiltration)
  • BSI Grundschutz compliance mapping
☁️

Multi-Tenant SaaS

Secure multi-tenant Keycloak deployments with realm isolation and per-client policies. Prevent cross-tenant access through strict realm whitelisting.

  • Realm whitelist enforcement
  • Per-client grant type and scope policies
  • Bulk operation detection (prevent mass data access)
  • Rate limiting per client_id

Energy & Critical Infrastructure

Protect SCADA and OT system identity providers with defense-in-depth. Network isolation ensures Keycloak is never directly reachable.

  • 4-process isolation with air-gapped networks
  • Static binary deployment (minimal attack surface)
  • No runtime dependencies (FROM scratch container)
  • Configurable timeouts for high-latency networks
🎓

Education & Research

Protect Shibboleth-federated Keycloak with SAML security. Many universities use SAML for cross-institutional federation.

  • SAML XXE and signature wrapping prevention
  • Algorithm enforcement (block weak SHA-1)
  • Assertion size limits
  • Free tier for evaluation and development